
    
          
  
          

    
  
  
  
  

    
  
  
  
  
  
  
  
  

    
  
  
  
  

    
  
  
      
    
  
  
  

    

    
  
  
  
  

    
  
  
  

    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

    
  

    


    
    
    
    
    
    
    
    
  
  
        <!DOCTYPE html>  <html lang="en" itemscope itemtype="http://schema.org/WebPage">    <head>        <meta charset="UTF-8">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta name="viewport" content="width=device-width,initial-scale=1">                  
    
    
        <title>GobRAT malware written in Go language targeting Linux routers - JPCERT/CC Eyes | JPCERT Coordination Center official Blog</title>
    <meta name="description" content="JPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023. This blog article explains the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. ### Attack flow up to...">
    <meta name="keywords" content="">
  
    
    
    
    
    

  
                      
    
    
        <meta property="og:type" content="website">
    <meta property="og:locale" content="en_US">
    <meta property="og:title" content="GobRAT malware written in Go language targeting Linux routers - JPCERT/CC Eyes">
    <meta property="og:url" content="https://blogs.jpcert.or.jp/en/2023/05/gobrat.html">
    <meta property="og:description" content="JPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023. This blog article explains the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. ### Attack flow up to...">
    <meta property="og:site_name" content="JPCERT/CC Eyes">
    <meta property="og:image" content="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gobrat-fig5-800wi.png">
      
    
    
    
    
    

  
                      
    
    
        <meta name="twitter:card" content="summary_large_image">
        <meta name="twitter:title" content="GobRAT malware written in Go language targeting Linux routers - JPCERT/CC Eyes">
    <meta name="twitter:description" content="JPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023. This blog article explains the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. ### Attack flow up to...">
    <meta name="twitter:image" content="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gobrat-fig5-800wi.png">
  
    
    
    
    
    

  
                      
    
    
        <meta itemprop="description" content="JPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023. This blog article explains the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. ### Attack flow up to...">
    <link itemprop="url" href="https://blogs.jpcert.or.jp/en/2023/05/gobrat.html">
    <link itemprop="image" href="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gobrat-fig5-800wi.png">
  
    
    
    
    
    

  
            <link rel="start" href="/en/">    <link rel="alternate" type="application/atom+xml" href="/en/atom.xml">        <link rel="stylesheet" href="/en/common/css/styles.css">    <link rel="shortcut icon" type="image/x-icon" href="/en/common/images/favicon.ico">    <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.css" integrity="sha256-NuCn4IvuZXdBaFKJOAcsU2Q3ZpwbdFisd5dux4jkQ5w=" crossorigin="anonymous" />    <!--[if lt IE 9]>    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js" integrity="sha256-3Jy/GbSLrg0o9y5Z5n1uw0qxZECH7C6OQpVBgNFYa0g=" crossorigin="anonymous"></script>    <script src="//cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.min.js" integrity="sha256-g6iAfvZp+nDQ2TdTR/VVKJf3bGro4ub5fvWSWVRi2NE=" crossorigin="anonymous"></script>    <![endif]-->              <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-124034031-1"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());

      gtag('config', 'UA-124034031-1');
    </script>

    <!-- Global site tag (gtag.js) - Google Analytics GA4-->
    <script async src="https://www.googletagmanager.com/gtag/js?id=G-6NX4WBMERX"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());

      gtag('config', 'G-6NX4WBMERX');
    </script>
                
        <link rel="canonical" href="https://blogs.jpcert.or.jp/en/2023/05/gobrat.html" />

  
      </head>  <body class="page_english">              
    <!-- prepend body -->

  
            
  
  
        
    
    <header class="header  header--bottom">
    <div class="header__inner clearfix">
      <p class="header__logo">
        <a href="https://www.jpcert.or.jp/english/" target="_blank">
          <img class="header__logo__src" src="/en/common/images/header_logo.svg" width="198" height="66" alt="JPCERT/CC Eyes">
        </a>
      </p>
      <h1 class="header__title">
        <a class="header__title__link" href="/en/">JPCERT/CC Eyes</a>
      </h1>
      <h2  class="header__description">JPCERT Coordination Center official Blog</h2>
      <div class="header__lang">
        <p class="header__lang__cell-label">Language:</p>
        <div class="header__lang__cell-field">
          <select class="header__lang__switcher" onchange="location.href = this.value;">
            <option value="/ja/">日本語</option>
            <option selected value="/en/">English</option>
                      </select>
        </div>
      </div>
    </div>
  </header>

    


        
    
    
        
                  
    <section class="breadcrumb-navi">
      <div class="inner">
        <a href="/en/">Top</a>&nbsp;&gt;&nbsp;<a href="https://blogs.jpcert.or.jp/en/malware/">List of &ldquo;Malware&rdquo;</a>&nbsp;&gt;&nbsp;GobRAT malware written in Go language targeting Linux routers
      </div>
    </section>

        
        
  
    
    
    
    
    


        <div id="content" class="clearfix">

            <div id="main-wrapper">
        <main role="main">

                    
        
    <article id="entry-2381086" class="entry">

        
    
    
    
    <div class="entry-meta clearfix">

    <div class="entry-author">
      <figure>
        <a href="https://blogs.jpcert.or.jp/en/masubuchi/">
          <img src="https://movabletype.net/users/masubuchi/blog_image.png" width="50" height="50" alt="増渕 維摩(Yuma Masubuchi)">
        </a>
      </figure>
      <p><a href="https://blogs.jpcert.or.jp/en/masubuchi/">増渕 維摩(Yuma Masubuchi)</a></p>
    </div>

    <div class="entry-date">
      <time datetime="2023-05-29T00:00:00+09:00">May 29, 2023</time>
    </div>

  </div>

    
    
    


        <h2 class="entry-title">GobRAT malware written in Go language targeting Linux routers</h2>

        
    
        
    

        
  
        <section class="entry-tags">
      <ul>

        
                    
                    
                    
        
      </ul>
    </section>
  


        
    
    
    <div class="entry-social-buttons  entry-social-buttons--before-content  clearfix">
    <ul>
      <li class="entry-social-twitter">
        <a href="https://twitter.com/share" class="twitter-share-button" data-text="GobRAT malware written in Go language targeting Linux routers" data-url="https://blogs.jpcert.or.jp/en/2023/05/gobrat.html" data-show-count="false"></a>
      </li>
      <li class="entry-social-mail">
        <a href="mailto:?subject=GobRAT%20malware%20written%20in%20Go%20language%20targeting%20Linux%20routers&amp;body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2023%2F05%2Fgobrat.html">Email</a>
      </li>
    </ul>
  </div>

    
    


        <section class="entry-content clearfix">
      <p>JPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023. This blog article explains the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack.</p>

<h3>Attack flow up to malware execution</h3>

<p>Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT. Figure 1 shows the flow of the attack until GobRAT infects the router.</p>

<p><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gobrat-fig1-800wri.png" width="800" height="479" alt="" class="asset asset-image at-xid-2728479 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></p>

<div style="text-align: center;">Figure 1: Attack Flow</div>

<p><br></p>

<p><strong>Loader Script</strong> works as a loader, containing functions such as generating various scripts and downloading GobRAT. The SSH public key, which is assumed to be used for the backdoor, is hard-coded in the script. In addition, since <strong>Loader Script</strong> uses crontab to register the file path of <strong>Start Script</strong> for persistence, GobRAT does not have such function. The functions of <strong>Loader Script</strong> are as follows:</p>

<ul>
<li>Disable Firewall function</li>
<li>Download GobRAT for the target machine's architecture</li>
<li>Create <strong>Start Script</strong> and make it persistent</li>
<li>Create and run <strong>Daemon Script</strong>.</li>
<li>Register a SSH public key in /root/.ssh/authorized_keys</li>
</ul>

<p>Figure 2 is the code of <strong>Start Script</strong> that executes GobRAT. The script is unique in that it writes the startup time to a file named <strong>restart.log</strong>. In addition, this script executes GobRAT under the file name <strong>apached</strong> to make it look like a legitimate process.</p>

<p><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gobrat-fig2-800wri.png" width="800" height="375" alt="" class="asset asset-image at-xid-2728480 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></p>

<div style="text-align: center;">Figure 2: Start Script</div>

<p><br></p>

<p>Figure 3 is the code of <strong>Daemon Script</strong>. This script checks whether <strong>Start Script</strong> is running or not every 20 seconds, and if not, it starts the script. This code has been possibly prepared in case <strong>Start Script</strong> is terminated unexpectedly.</p>

<p><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gobrat-fig3-320wri.png" width="320" height="180" alt="" class="asset asset-image at-xid-2728482 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></p>

<div style="text-align: center;">Figure 3: Daemon Script</div>

<h3>GobRAT Overview</h3>

<p>GobRAT is a RAT written in Go language and communicates with C2 server via TLS and executes various commands. It is packed with UPX version 4 series, and samples for various architectures such as ARM, MIPS, x86, and x86-64 have been confirmed. GobRAT performs the following checks at startup and keeps the information within the sample itself.</p>

<ul>
<li>IP address and MAC address of itself</li>
<li>Uptime by uptime command</li>
<li>Network communication status by /proc/net/dev</li>
</ul>

<p>The following sections describes the GobRAT’s communication method, encryption method, and commands to be executed.</p>

<h3>Communication method</h3>

<p>GobRAT uses TLS to send and receive data with its C2 server. Figure 4 shows an example of communication with the C2 server. The first 4 bytes indicate the size of the data, and the rest is gob[1] data. gob is a data serialization protocol available only in Go language. GobRAT uses gob for receiving commands and sending the results of command execution.</p>

<p><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gobrat-fig4-800wri.png" width="800" height="312" alt="" class="asset asset-image at-xid-2728483 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></p>

<div style="text-align: center;">Figure 4: Example of communication content</div>

<p><br></p>

<p>GobRAT defines gob data as a PACKAGE structure in the sample as follows.</p>

<pre style='padding: 10px 10px;color:#d1d1d1;background:#1f1f1f;overflow: auto;white-space: pre'>
type PACKAGE struct {
    Type uint8                  // CommandID
    BotCount uint16             // Parameter
    BotList []string            // Command Parameter
    ParamLength uint16          // Length of Param
    Param map[string]string     // Command Parameter
    Content []uint8             // Command Parameter, Command Execution Result, etc
}
</pre>

<p>The fields used are different depending on the type of command, and string arrays, maps, and binary data are supported so that various types of parameters can be passed. In addition, while binary data can be stored in Content of the PACKAGE structure, map data with string is converted to binary data by encoding it with the json.Marshal function. The PACKAGE structure is used in various ways depending on the command, such as storing the data in Content, or converting the defined structure to binary data in the same way and storing it in Content.</p>

<h3>Encryption Method</h3>

<p>Strings such as C2 and Linux commands are encrypted and stored in the sample. Figure 5 shows the GobRAT's decryption function. AES128 CTR mode is used to decrypt strings, and the key and IV are hard-coded in the sample. The same key (<strong>050CFE3706380723433807193E03FE2F</strong>) and IV (<strong>"12345678abcdefgh"</strong>) are used in all the confirmed samples. In addition, as shown in Figure 6, the codes that have probably been developed by the attacker, such as this decryption function, has a unique folder structure like <strong>aaa.com/bbb/me~</strong>.</p>

<p><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gobrat-fig5-800wri.png" width="800" height="630" alt="" class="asset asset-image at-xid-2728484 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></p>

<div style="text-align: center;">Figure 5: String decryption function</div>

<p><br></p>

<p><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gobrat-fig6-320wri.png" width="320" height="517" alt="" class="asset asset-image at-xid-2728485 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></p>

<div style="text-align: center;">Figure 6: Characteristic folder structure</div>

<p><br></p>

<h3>Commands executed</h3>

<p>GobRAT has 22 commands that are executed by the commands from the C2 server, and we have identified the following commands. Since the malware targets routers, you can see that most functions are related to communication, such as frpc, socks5, and reconfiguration of C2. See Appendix A for command details.</p>

<ul>
<li>Obtain machine Information</li>
<li>Execute reverse shell</li>
<li>Read/write files</li>
<li>Configure new C2 and protocol</li>
<li>Start socks5</li>
<li>Execute file in /zone/frpc</li>
<li>Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine</li>
</ul>

<h3>GobRAT Analysis Tools</h3>

<p>Since GobRAT uses gob for communication, if you want to emulate its communication with C2 to check commands, you need to create a program using Go language. Our C2 emulation tool that supports GobRAT analysis is available on GitHub. Please download it from the following webpage for your analysis.</p>

<p><strong>JPCERTCC/aa-tools/GobRAT-Analysis - GitHub</strong><br>
  <a href="https://github.com/JPCERTCC/aa-tools/tree/master/GobRAT-Analysis">https://github.com/JPCERTCC/aa-tools/tree/master/GobRAT-Analysis</a></p>

<h3>In Closing</h3>

<p>In recent years, different types of malware using Go language have been confirmed, and the GobRAT malware confirmed this time uses gob, which can only be handled by Go language, for communication. Please continuously beware of malware that infects routers, not limited to GobRAT, since they are difficult to detect. Please refer to Appendix B for C2 of the malware, Appendix C for the hash value of the script, and Appendix D for the hash value of the malware.</p>

<p style="text-align: right">Yuma Masubuchi</p>

<p style="text-align: right">Translated by Takumi Nakano</p>

<h4>Appendix A: Commands</h4>

<div style="text-align: center;">TableA: GobRAT commands</div>

<table>
<thead>
<tr>
<th align="center">Value</th>
<th align="left">Contents</th>
</tr>
</thead>
<tbody>
<tr>
<td align="center">0x0</td>
<td align="left">Update json data held in malware and acquire update results</td>
</tr>
<tr>
<td align="center">0x1</td>
<td align="left">Retrieve json data held in malware</td>
</tr>
<tr>
<td align="center">0x3</td>
<td align="left">Start reverse shell</td>
</tr>
<tr>
<td align="center">0x4</td>
<td align="left">End of reverse shell connection</td>
</tr>
<tr>
<td align="center">0x6</td>
<td align="left">Confirmation of reverse shell connection</td>
</tr>
<tr>
<td align="center">0x7</td>
<td align="left">Execute shell command for daemon</td>
</tr>
<tr>
<td align="center">0x8</td>
<td align="left">Execute shell command</td>
</tr>
<tr>
<td align="center">0xD</td>
<td align="left">Read/write specified file</td>
</tr>
<tr>
<td align="center">0x10,0x11</td>
<td align="left">Read/write specified file</td>
</tr>
<tr>
<td align="center">0x16</td>
<td align="left">Obtain various machine information such as df command</td>
</tr>
<tr>
<td align="center">0x17</td>
<td align="left">Set new communication channel for TCP</td>
</tr>
<tr>
<td align="center">0x18</td>
<td align="left">Execute SOCKS5 proxy with specified port and password</td>
</tr>
<tr>
<td align="center">0x19</td>
<td align="left">Execute SOCKS5 proxy on specified port</td>
</tr>
<tr>
<td align="center">0x1a</td>
<td align="left">New communication channel setting for UDP</td>
</tr>
<tr>
<td align="center">0x1b</td>
<td align="left">Execute frpc after executing SOCKS5 proxy on port 5555</td>
</tr>
<tr>
<td align="center">0x1f</td>
<td align="left">Check for the existence of the specified file</td>
</tr>
<tr>
<td align="center">0x25</td>
<td align="left">Login attempts for SSH, telenet, redis, mysql, postgres</td>
</tr>
<tr>
<td align="center">0x27</td>
<td align="left">Configuration of specified goroutine</td>
</tr>
<tr>
<td align="center">0x2a</td>
<td align="left">Scan to HTTP/HTTPS service of specified IP</td>
</tr>
<tr>
<td align="center">0x2D</td>
<td align="left">Dictionary attack to HTTP/HTTPS service of specified IP</td>
</tr>
<tr>
<td align="center">0x30</td>
<td align="left">C2 configuration related</td>
</tr>
<tr>
<td align="center">0x31</td>
<td align="left">DDoS attacks on SYN, TCP, UDP, HTTP, ICMP</td>
</tr>
</tbody>
</table>

<h4>Appendix B: C2</h4>

<ul>
<li>https[:]//su.vealcat[.]com</li>
<li>http[:]//su.vealcat[.]com:58888</li>
<li>https[:]//ktlvz.dnsfailover[.]net</li>
<li>http[:]//ktlvz.dnsfailover[.]net:58888</li>
<li>su.vealcat[.]com</li>
<li>ktlvz.dnsfailover[.]net</li>
<li>wpksi.mefound[.]com</li>
</ul>

<h4>Appendix C: Hash values of the scripts</h4>

<ul>
<li>060acb2a5df6560acab9989d6f019fb311d88d5511f3eda0effcbd9fc6bd12bb</li>
<li>feaef47defd8b4988e09c8b11967e20211b54e16e6df488780e2490d7c7fa02a </li>
<li>3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1 </li>
<li>60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3 </li>
</ul>

<h4>Appendix D: Hash values of the malware</h4>

<ul>
<li>a8b914df166fd0c94106f004e8ca0ca80a36c6f2623f87a4e9afe7d86b5b2e3a </li>
<li>aeed77896de38802b85a19bfcb8f2a1d567538ddc1b045bcdb29cb9e05919b60 </li>
<li>6748c22d76b8803e2deb3dad1e1fa7a8d8ff1e968eb340311fd82ea5d7277019</li>
<li>e133e05d6941ef1c2e3281f1abb837c3e152fdeaffefde84ffe25338fe02c56d</li>
<li>43dc911a2e396791dc5a0f8996ae77ac527add02118adf66ac5c56291269527e </li>
<li>af0292e4de92032ede613dc69373de7f5a182d9cbba1ed49f589ef484ad1ee3e</li>
<li>2c1566a2e03c63b67fbdd80b4a67535e9ed969ea3e3013f0ba503cfa58e287e3</li>
<li>98c05ae70e69e3585fc026e67b356421f0b3d6ab45b45e8cc5eb35f16fef130c</li>
<li>300a92a67940cfafeed1cf1c0af25f4869598ae58e615ecc559434111ab717cd</li>
<li>a363dea1efda1991d6c10cc637e3ab7d8e4af4bd2d3938036f03633a2cb20e88 </li>
<li>0c280f0b7c16c0d299e306d2c97b0bff3015352d2b3299cf485de189782a4e25</li>
<li>f962b594a847f47473488a2b860094da45190738f2825d82afc308b2a250b5fb </li>
<li>4ceb27da700807be6aa3221022ef59ce6e9f1cda52838ae716746c1bbdee7c3d </li>
<li>3e1a03f1dd10c3e050b5f455f37e946c214762ed9516996418d34a246daed521 </li>
<li>3bee59d74c24ef33351dc31ba697b99d41c8898685d143cd48bccdff707547c0 </li>
<li>c71ff7514c8b7c448a8c1982308aaffed94f435a65c9fdc8f0249a13095f665e</li>
</ul>

<h4>References</h4>

<p>[1] Gobs of data<br>
<a href="https://go.dev/blog/gob">https://go.dev/blog/gob</a></p>

      

    </section>

        
    
    
    <div class="entry-social-buttons  entry-social-buttons--after-content  clearfix">
    <ul>
      <li class="entry-social-twitter">
        <a href="https://twitter.com/share" class="twitter-share-button" data-text="GobRAT malware written in Go language targeting Linux routers" data-url="https://blogs.jpcert.or.jp/en/2023/05/gobrat.html" data-show-count="false"></a>
      </li>
      <li class="entry-social-mail">
        <a href="mailto:?subject=GobRAT%20malware%20written%20in%20Go%20language%20targeting%20Linux%20routers&amp;body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2023%2F05%2Fgobrat.html">Email</a>
      </li>
    </ul>
  </div>

    
    


        
    
    
          
    <section class="entry-author-detail">
    <div class="entry-author-detail-header">
      <p class="title">Author</p>
    </div>

    <div class="entry-author-detail-body clearfix">
      <figure>
        <img src="https://movabletype.net/users/masubuchi/blog_image.png" width="90" height="90" alt="増渕 維摩(Yuma Masubuchi)">
      </figure>
      <div class="entry-author-detail-body-text">
        <p class="name"><a href="https://blogs.jpcert.or.jp/en/masubuchi/">増渕 維摩(Yuma Masubuchi)</a></p>
        <div class="profile">
          <p>
















































Yuma has been engaged in malware analysis and coordination of cyber security incidents in JPCERT/CC Incident Response Group since November 2020.


</p>
        </div>
      </div>
    </div>
  </section>

    
    
    


        
    
  

<!-- Feedback -->
<div id="fb" class="feedback feedback_noscript">
  <form name="feedback_form" id="feedback_form">
    <p class="title">Was this page helpful?</p>
    <div class="inner">
      <p class="select">
        <label><input name="is_useful" id="is_usefull_yes" value="yes" type="radio">Yes</label>
        <label><input name="is_useful" id="is_usefull_no" value="no" type="radio">No</label>
      </p>
      <p class="result"><span class='count'>0</span> people found this content helpful.</p>
    </div>
    <p class="title">If you wish to make comments or ask questions, please use this form.</p>
    <div class="inner">
      <p class="message">This form is for comments and inquiries. For any questions regarding specific commercial products, please contact the vendor.</p>
      <div class="container_a">
        <div class="container_b">
          <textarea name="free_text" id="free_text" cols="30" rows="3"></textarea>
        </div>
      </div>
      <p class="send_area">
        <span class="en_js_msg">please change the setting of your browser to set JavaScript valid.</span>
        <span class="loader" style="display:none"><img src="/en/common/images/fb_loader.gif" alt=""></span>
        <span class="thanks">Thank you!</span>
        <input class="button" type="button" disabled value="Send">
      </p>
    </div>
    <input name="redirect_to" id="redirect_to" value="" type="hidden">
    <input name="feedback_host" id="feedback_host" value="//ws.jpcert.or.jp/cgi-bin/" type="hidden">
    <input name="uri" id="uri" value="" type="hidden">
    <input name="token" id="token" value="" type="hidden">
  </form>
</div>
<!-- //-------- feedback --------------------->



    


        
    
      
    
                      <section class="relation-entrylist">
          <nav>
            <h1>Related articles</h1>
            <ul>
      
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2023/05/dangerouspassword.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/DangerousPassword-fig3-320wi.png" alt="Attack Trends Related to DangerousPassword" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Attack Trends Related to DangerousPassword</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2023/04/parallax-rat.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/attack_flow-320wi.png" alt="Activity Targeting Crypto Asset Exchangers for Parallax RAT Infection" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Activity Targeting Crypto Asset Exchangers for Parallax RAT Infection</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2023/01/cloud_malware_analysis.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/cloud_malware_analysis-fig2-320wi.png" alt="Automating Malware Analysis Operations (MAOps)" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Automating Malware Analysis Operations (MAOps)</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2022/07/yamabot.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/yamabot-320wi.png" alt="YamaBot Malware Used by Lazarus" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">YamaBot Malware Used by Lazarus</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2022/07/vsingle.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/VSingle-fig2-320wi.png" alt="VSingle malware that obtains C2 server information from GitHub" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">VSingle malware that obtains C2 server information from GitHub</p>
                  </div>
                </a>
              </li>

                            
                  </ul>
          </nav>
        </section>
            
    
    
    


        
    
    
    <section class="entry-navi">
    <div class="entry-navi-prev">
              <a href="https://blogs.jpcert.or.jp/en/2023/05/dangerouspassword.html">Back</a>
          </div>
    <div class="entry-navi-home">
      <a href="/en/">Top</a>
    </div>
    <div class="entry-navi-next">
          </div>
  </section>

    
    


  </article>



  

        </main>
      </div>

            
    <aside>

        
    <div class="google-search">
    <script>
      (function() {
        var cx = '004990004422359256493:nnhwqqlx864';
        var gcse = document.createElement('script');
        gcse.type = 'text/javascript';
        gcse.async = true;
        gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
            '//cse.google.com/cse.js?cx=' + cx;
        var s = document.getElementsByTagName('script')[0];
        s.parentNode.insertBefore(gcse, s);
      })();
    </script>
    <gcse:search></gcse:search>
  </div>



        
        <section id="side-categories" class="categorylist">
      <nav>
        <h1>Categories</h1>
        <ul>

          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #6484c5"></span><a href="https://blogs.jpcert.or.jp/en/malware/">Malware</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #fca001"></span><a href="https://blogs.jpcert.or.jp/en/incident/">Incident</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #9ec700"></span><a href="https://blogs.jpcert.or.jp/en/event/">Event</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #009e9f"></span><a href="https://blogs.jpcert.or.jp/en/vulnerability/">Vulnerability</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #0172b6"></span><a href="https://blogs.jpcert.or.jp/en/security-technology/">Security Technology</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #a1017f"></span><a href="https://blogs.jpcert.or.jp/en/forensic/">Forensic</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #000"></span><a href="https://blogs.jpcert.or.jp/en/cyber-metrics/">Cyber Metrics</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #000"></span><a href="https://blogs.jpcert.or.jp/en/ics-ot/">ICS-OT</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #838383"></span><a href="https://blogs.jpcert.or.jp/en/other/">Other</a>
                
                              </li>
            
                        
          
                        
                        
                        
          
        </ul>
      </nav>
    </section>
  


        
        
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
                    <section id="side-tags" class="taglist">
          <nav>
            <h1>Tags</h1>

                          <ul>
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/python/">Python</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/conference/">Conference</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/datper/">Datper</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/chches/">ChChes</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/training/">Training</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/cybergreen/">Statistics and Indicator</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/tool/">Tool</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/blacktech/">BlackTech</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/logontracer/">LogonTracer</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/report/">Report</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/splunk/">Splunk</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/elasticstack/">ElasticStack</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/impfuzzy/">impfuzzy</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/volatility/">volatility</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/redleaves/">RedLeaves</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/plugx/">PlugX</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/darkhotel/">DarkHotel</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/banking-malware/">Banking malware</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/pacific-islands/">Pacific_Islands</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/csirt/">CSIRT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/password/">Password</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/policy/">Policy</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/ddos/">DDoS</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/apt/">APT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/trend/">Trend</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/africa/">Africa</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/securecoding/">SecureCoding</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/sysmonsearch/">SysmonSearch</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/jsac/">JSAC</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/iot/">IoT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/iiot/">IIoT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/quasar/">Quasar</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/lodeinfo/">LODEINFO</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/lazarus/">Lazarus</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/emotet/">Emotet</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/phishing/">Phishing</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/metrics/">Metrics</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/tsubame/">TSUBAME</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/standard-guideline/">Standard-Guideline</a>
                                  </li>

                                
              </ul>            
          </nav>
        </section>
      
            
      


        
      <div id="ranklet-10936"></div>
  


        
    
              <section id="side-members" class="memberlist">
        <nav>
          <h1>Authors</h1>
          <ul class="clearfix">
    
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/SHIKAPON/">
                  <img src="https://movabletype.net/users/SHIKAPON/matsu.png" alt="鹿野 恵祐 (Keisuke Shikano)" title="鹿野 恵祐 (Keisuke Shikano)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/sekiguchi/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="関口　晃弘 (Akihiro Sekiguchi)" title="関口　晃弘 (Akihiro Sekiguchi)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/reto/">
                  <img src="https://movabletype.net/users/reto/Q6VN1jSR_400x400.jpg" alt="衛藤 亮介 (Ryosuke Eto)" title="衛藤 亮介 (Ryosuke Eto)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/ikuya/">
                  <img src="https://movabletype.net/users/ikuya/profile_icon.png" alt="福本 郁哉（Ikuya Fukumoto）" title="福本 郁哉（Ikuya Fukumoto）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/m-toyama/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="登山 昌恵 (Masae Toyama)" title="登山 昌恵 (Masae Toyama)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/s-tanaka/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="田中 信太郎（Shintaro Tanaka） " title="田中 信太郎（Shintaro Tanaka） " width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/horata/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="洞田 慎一 (Shinichi Horata)" title="洞田 慎一 (Shinichi Horata)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/kohnowriter/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="河野 一之 (Kazuyuki Kohno)" title="河野 一之 (Kazuyuki Kohno)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/t.mizuno/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="水野 哲也 (Tetsuya Mizuno)" title="水野 哲也 (Tetsuya Mizuno)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/y-murakami/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="村上 勇樹（Yuki Murakami）" title="村上 勇樹（Yuki Murakami）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/shu_tom/">
                  <img src="https://movabletype.net/users/shu_tom/ENCORE_400x400.jpg" alt="朝長 秀誠 (Shusei Tomonaga)" title="朝長 秀誠 (Shusei Tomonaga)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/totsuka/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="戸塚 紀子（Noriko Totsuka）" title="戸塚 紀子（Noriko Totsuka）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/shoheiiwasaki/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="岩崎 照平（Shohei Iwasaki）" title="岩崎 照平（Shohei Iwasaki）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/kkomiyama/">
                  <img src="https://movabletype.net/users/kkomiyama/photo_sparky_small.jpg" alt="小宮山 功一朗 (Koichiro Sparky Komiyama)" title="小宮山 功一朗 (Koichiro Sparky Komiyama)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/teramoto/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="寺本 健悟(Kengo Teramoto)" title="寺本 健悟(Kengo Teramoto)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/masubuchi/">
                  <img src="https://movabletype.net/users/masubuchi/blog_image.png" alt="増渕 維摩(Yuma Masubuchi)" title="増渕 維摩(Yuma Masubuchi)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/hori-32tk/">
                  <img src="https://movabletype.net/users/hori-32tk/画像の貼り付け先_-2021-3-18-22-18.png" alt="堀 充孝（Mitsutaka Hori）" title="堀 充孝（Mitsutaka Hori）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/kino/">
                  <img src="https://movabletype.net/users/kino/image-992ce083-832a-45c5-a3d8-5922b68506a7.jpg" alt="喜野 孝太(Kota Kino)" title="喜野 孝太(Kota Kino)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/uchida/">
                  <img src="https://movabletype.net/users/uchida/14190908.jpg" alt="内田 有香子 (Yukako Uchida)" title="内田 有香子 (Yukako Uchida)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/sajo/">
                  <img src="https://movabletype.net/users/sajo/Sajo0191031.jpg" alt="佐條 研(Ken Sajo)" title="佐條 研(Ken Sajo)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/Tomotaka/">
                  <img src="https://movabletype.net/users/Tomotaka/Tomotaka-Ito.jpg" alt="伊藤 智貴 (Tomo Ito)" title="伊藤 智貴 (Tomo Ito)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/tnakano/">
                  <img src="https://movabletype.net/users/tnakano/tapioka_square.jpg" alt="中野 巧 (Takumi Nakano)" title="中野 巧 (Takumi Nakano)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/k-nakamura/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="中村 恭脩（kyosuke Nakamura）" title="中村 恭脩（kyosuke Nakamura）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/shoko/">
                  <img src="https://movabletype.net/users/shoko/DSCN1042-(2).png" alt="中井 尚子（Shoko Nakai）" title="中井 尚子（Shoko Nakai）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/retiree_blog/">
                  <img src="https://movabletype.net/users/retiree_blog/j_icon72_400x400.jpg" alt="JPCERT/CC" title="JPCERT/CC" width="50">
                </a>
              </li>
            
                        
          
                        
            
                        
              </ul>
        </nav>
      </section>
      
    


    
        
              <section id="side-monthly-archive" class="archivelist">
        <nav>
          <h1>Archives</h1>
          <ul>
    
                
        <li><a href="https://blogs.jpcert.or.jp/en/2023/">2023</a><small>10</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2022/">2022</a><small>19</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2021/">2021</a><small>20</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2020/">2020</a><small>21</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2019/">2019</a><small>18</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2018/">2018</a><small>12</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2017/">2017</a><small>17</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2016/">2016</a><small>18</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2015/">2015</a><small>20</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2014/">2014</a><small>18</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2013/">2013</a><small>7</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2012/">2012</a><small>2</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2011/">2011</a><small>8</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2010/">2010</a><small>4</small></li>

                
              </ul>
        </nav>
      </section>
      


  </aside>



    </div>

        
    
    <footer class="footer">
    <div class="footer__inner">
      <div class="footer__information">
        <div class="footer__information__cell-logo">
          <p class="footer__information__logo">
            <a href="https://www.jpcert.or.jp/english/" target="_blank">
              <img style="margin-top:3px" class="footer__information__logo__src" src="/en/common/images/footer_logo.svg" width="188" height="48" alt="JPCERT Coordination Center">
            </a>
          </p>
        </div>
        <div class="footer__information__cell-company">
          <dl class="footer__information__company">
            <dt class="footer__information__company__name">JPCERT/CC</dt>
            <dd  class="footer__information__company__data">
              <address class="footer__information__company__data__address">8F Tozan Bldg, 4-4-2 Nihonbashi-Honcho, Chuo-ku, Tokyo 1030023 JAPAN</address>
              <p class="footer__information__company__data__tel">TEL: +81-3-6271-8901　FAX: +81-3-6271-8908</p>
            </dd>
          </dl>
        </div>
        <div class="footer__information__cell-navigation">
          <ul class="footer__information__navigation">
            <li class="footer__information__navigation__item"><a class="footer__information__navigation__link" href="https://blogs.jpcert.or.jp/en/privacy-policy.html" target="_blank">Privacy Policy</a></li>
            <li class="footer__information__navigation__item"><a class="footer__information__navigation__link" href="https://blogs.jpcert.or.jp/en/disclaimer.html" target="_blank">Disclaimer</a></li>
          </ul>
        </div>
      </div>
      <p class="footer__copyright">&copy; 1996-2023 JPCERT/CC</p>
    </div>
  </footer>

    


  </body>
  </html>

    

              
        <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

        <script src="/en/common/js/prototype.js"></script>
    <script src="/en/common/feedback/script.js"></script>

  
                              <script src="//tracker.iws.vc/v1/ranklet/s3/widgets/10936/widget.js" async defer></script>
      </body>  </html>        